Last year, Tor—the service which allows people to use the internet with anonymity—was attacked. Now, a new report suggests that the FBI paid Carnegie Mellon University a cool $1 million to carry out the work.

At the time of the attack, Tor believed it had been carried out by Carnegie Mellon’s Computer Emergency Response Team. The attack ran from January ‘til July, during which time it was claimed that the researchers gathered information on Tor’s users. The CERT researchers had been due to present work about de-anonymizing Tor at a Black Hat security conference, which they abruptly cancelled—which only served to reinforce speculation that they’d been behind the attack.

Advertisement

Now, in a blog post on the Tor Project website written by its director Roger Dingledine, it’s claimed that the “researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes.” The Tor Project believes—from “friends in the security community”—that payment could have been as high as $1 million. The team goes on to claim that it has “no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon’s Institutional Review Board.”

If it’s true, Tor is right to be pissed: while security research is important, the attacks seems to have indiscriminately targeted at users, not simply at criminals. Still, that’s a big if. For it’s part, Carnegie Mellon certainly isn’t owning up just yet. “I’d like to see the substantiation for their claim,” said Ed Desautels, a PR officer, to Wired. “I’m not aware of any payment.”

The claim from Tor has come about in the wake of a report from Motherboard which describes the contents of legal documents used in the Silk Road 2.0 case. Contained within them are references to the fact that the accused, Brian Richard Farrell, was unmasked using information obtained by a ‘university-based research institute.’

Advertisement

It remains unclear exactly what happened and whether any payment was made. But that doesn’t stop Dingledine from an attack on modern academic ethical standards. “Whatever academic security research should be in the 21st century,” he writes, “it certainly does not include ‘experiments’ for pay that indiscriminately endanger strangers without their knowledge or consent.”